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METHOD FOR INTRUSION DETECTION IKT A DATABASE SYSTEM 

Technical field 

The present invention relates to a method for 
detecting intrusion in a database managed by ctn access 
control system. 

Technical background 

In database security^ it is a well known problem to 
avoid attacks from persons who have access to a valid 
user- ID and password. Such persons cannot be denied 
access by the normal access control system, as they are 
in fact entitled to access to a certain extent* Such 
persons can be tempted to access improper amounts of 
data/ by-passing the security. Solutions to this problem 
have been suggested: 

Network 'BaiS^d DBtection 

Network intrusion monitors are attached to a packet - 
filtering router or packet sniffer to detect suspicious 
behavior on a network as they occur. They look for signs 
that a network is being investigated for attack with a 
port scanner, that users are falling victim to known 
traps like .url or -Ink, or that the network is actually 
under an attack such as through SYN flooding or 
unauthorized attempts to gain root access (among other 
types of attacks) . Based on user specifications, these 
monitors can then record the session and alert the 
administrator or, in some cases, reset the connection. 
Some exatiples of such tools include Cisco's NetRanger and 
ISS' RealSecure as well as some public domain products 
like Klaxon that focus on a narrower set of attacks. 

Server 'Based Detection 

These tools analyze log, configuration and data 
files from individual servers as attacks occur, typically 
by placing some type of agent on the server and having 

tbe Agent report t^o a cenbsrcLl oonsolo • Some eac&Tnpl^s o£ 
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these tools include; Axent ' s OtnniGuard Intrusion Detection 
(ITA) / Security Dynamic's Kane Security Monitor and 
Centrax's eNTrax as well as some public domain tools that 
perform a much narrower set of functions like Tripwire 
5 which checks data integrity. 

Tripwire will detect any modifications made to 
operating systems or user files and send alerts to ISS' 
RealSecure product. Real -Secure will then conduct another 
set of security checks to monitor and combat any 
10 intrusions, 

Security Query and Reporting Tools 
These tools query NOS logs and other related logs 
for security events or they glean logs for security trend 
data. Accordingly, they do not operate in real-time and 
15 rely on users asking the right: questions of the right 
systems- A -typical query might be how many failed 
authentication attempts have we had on these NT servers 
in the past two weeks. A few of them (e-g., SecurIT) 
perform firewall log ^analysis. Some examples of such 
20 tools include Bindview's EMS/NOSadmin and Enterprise 
Console, SecurelT's SecureVIEW and Security Dynamic's 
Kane Security Analyst . ' 
Inference detection 

A variation of convent ional intrusion detection is 
25 detection of specific patterns of information access^ 

deemed to signify that an intrusion is taking place, even 
though the user is authorized to access the information. 
A method for such inference detection, i.e. a pattern 
oriented intrusion detectiori/ is disclosed in US patent 
•30 5278901 to Shieh et al. -• ■ ^^ - 

None of these solutions are however entirely 
satisfactory. The primary drawback is that they all 
concentrate on already effected queries, providing at 
best axi information that an attack has occurred. 

35 
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Summary o£ the invention 

It is an object of the present invention to provide 
a method and a system for intrusion detection. 

According to the invention, this and other objects 
5 are achieved by defining at least one intrusion detection 
profile, each comprising at least one item access rate, 
associating each user with one of said profiles, 
receiving a query from a user, cotr^aring a result of said 
query with the item access rates defined in the profile 
10 associated with the user, determining whether said query 
result exceeds said item access rates, and in that case 
notifying the access control system to alter the user 
. authorization, thereby raalcing the received request am. 
unauthorized request, before said result . is transmitted 
IS to the user. • . ... r . 

According to this method, the result of a cjuery is 
evaluated before it is transmitted to tlpie user. This 
allows for a real time :preyent ion of .intrusion, where the 
attack is. stopped even before it is completed. This is 
20 possible by letting the intrusion detection process 

interact directly with the access control system, and 
change the user authority dynamically as . a result of the 
detected intrusion. - . 

The item access rates can be def ined based the 
25 number of .rows a user ^may access from an item, e.g.-. a 
, . column. in a database table, . at one time, or over a 
v. certain period of time,-; ^. . .i 

In .a preferred etnbpdimejn^ the -method further 
: comprises accumulating r,r:esults from performed queries in 
30 a record, and determining whether the accumulated results 
exceed any one of said item access rates. The effect is 
that on one hand, a single query exceeding the allowed 
- .limit can be prevented, . but so can a number of smaller 
queries, each one on its on being allowed, but when 
35 accumulated not being allowed. 

It should be noted that the accepted item access 
rates not necessarily are restricted to only one user. On 
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■ the contrary,, it is possible to associate an item access 
rate to a group of users, such as users belonging to the 
same access role (which defines the user's level of 
security), or connected to the same, server. The result 

5 will be restricting the queries accepted from a group of 
users at one time or over a period of time- 

The user, role and server entities are not exclusive 
. of other entities which might benefit from a security 
policy- 

10 According to an embodiment of the invention, items 

subject to item access rates are marked in the database, 
so that any query concerning said items automatically can 
trigger the intrusion detection process. This is 
: especially advantageous if only a few items are intrusion 
15 sensitive/ in which case most queries are . not directed to 
such items. The selective activation of the intrusion 
detection will then S2^ve time and processor power. 

According to another embodiment of the invention, 
- the intrusic>n •'detection policy further includes at least 
20 one inference pattern, aind' results from performed queries 
are adcumulaited iri' a record/ which is compared to the 
• inference pattern/ in order to determine whether a 
combination of accesses in said -record match said 

■ inference policy, and in that case the access control 
25 - system is notified to alter- the user authorization, 

. thereby making the received request an unauthorized 
request/ before said result is transmitted, to the user. 

.This . eni)odiment provides a second type of intrusion 
detection/ based on inference patterns/ again resulting 
30 • in a' real time prevention 'of intrusion. 

Brief description of - the drawings 
These and other aspects of the invention will be 
apparent' from the preferred embodiments more clearly 
3 5 described with reference to the appended drawings. 

Fig 1 shows a database environment in which an 
embodiment of the present invention is implemented. 
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Fig 2 Is d schematic flowchart of an erobodiment of 
the method according to the invention- 

Detailed description of the currently preferred 
5 embodiment 

The present invention may be implemented in an 
environment of the type illustrated in fig i. The 
environment comprises a number of clients 1, connected to 
a server 2, e.g. a Secure .Data"" server from Protegrity, 
10 providing access to a database 3 with encrypted data 4. 
Several clients 1 can be connected to an intermediate 
server 5 .(a proxy server) , in which case we have a so 
called three tier application. 

Users 6 use the clients 1 to access information 4 in 
15 the database 3. In -order to verify and authorize 

attempted access, an access ^control system (ACS.) 7 is 
implemented/ for. example* Secure -Server™ from Protegrity. 

The server is associated with an intrusion detection 
module 10,^ coirqprising sof tware .cpmponents 12 , 13 and 18 
20 for performing the method according to the .invention/ 

Although /the intrusion detection module 10 here is 
described as a separate software module, its components 
can be incorporated ;in :t he server software 2,. for example 
in a security administration system. (SAS.) like 
25 Secure .Manager™ from Protegrity. It.can .reside in the 
server hardware .16;. or in a separate; hardware unit. 

A first . component 12 of . the . intarusipn dete.ction 
module 10 enables marking of . some or all data items (e.g. 
. .. . ..columns in. tables) ^rin . t^he database, thereby indicating 

30 that these items should be monitored during the intrusion 
detection process, as described below. 

A second component 13 of the intrusion detection 
module .10 is adapted to store all results from queries 
including, marked items , thereby creating a record 14 of 
35 accumulated access of marked items. If advantageous, the 
record can.be, kept in a separate log file. 15, for long 
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terra storage, -accumuiating data access over a longer 
iperiod o^ time^ 

The seirver 2 further has access to a plurality of 
security policies 20, preferably one for each user, one 
5 for each defined security role, or the like. These 
security policies can be stored in the security 
administration system 8, but also be stored outside the 
server. Each policy 2 0 includes one or several item 
access rates 21 and optionally an inference pattern 22. 

10 An item access rate 21 defines the maximum number of 

•rows of the selected item (e.g. column of a table) that a 
given user, role or server may access during a given 
period of time. The period of time can be defined as one 
single query, but cam. also be an accumulation of queries 

15 during a period of time- Preferably, . a separate : item 
access rate is defined for at least each item that has 
been marked in the dateibase 3 by the component 12 of the 
intrusion detection module 10. 

An inference pattern 22 defines a plurality of items 

20 . . (columns of certain tables) that when accesses in 

combination may expose unauthorized information. This 
means that an attempt by- a user, role or server to access 
certain -quantities -of information from items in an 
infererice pattern during =a vgiven period of time (e.g. in 

25 one- request) implies that an intrusion is taking place, 
even -if the associated item access rates have not been 

; - exceeded i For further information- about the inference 
.concept -of intrusipn,.. seev US .5278901 . 

Returning: to the intrusion detection module 10, a 

30 , third component 18 is adapted to . cotrqpare the result of a 
query with an item access rate 21 and^ ah inference 
pattern. 22. The component 18 can also compare the access 
rates 21 and inference patterns 22 with accumulated 
results, stored, in the record 14 or log filje 15. 

35 Irlhen a user tries to access a database, the access 

- control system 7 completes an authority check of. the 
. . user Different routines can be used, including automatic 
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authorization by detect ing^ I^>-address, or a standard log- 
in routine. In one embodiment/ the authorized user will 
only have access to items defined in his role, i.e. the 
table columns that the user is cleared for and uses in 
5 his/her work. The access control system 7. then 

continually monitors the user activity, and prevents the 
user from, accessing columns he/she is not cleared for. 
This process is described in detail in WO 97/49211/ 
: hereby incorporated by reference . 
10 The intrusion detection according to the described 

embodiment of the invention is directed toward the 
situation where ..a user^ authorized to acces.s certain 
, items, abuses this authority and tries ^to obta-in 
information broaching the se^curity policy of the database 
15 owner. The intrusion detection is divided int;o two. 

• different stages,, a real^ time- stage and. an & posteriori 
analysis stage. .. . 

JReal time: : * r . ^ 

With reference co fig :2,. a request' is received by 
20 the server in step SI., rresulting in the generation of a 
result in step 82, i.e.. :,a number of - selected rows from 
one or several table columns • .The software component 12 
determines {step S3,), if any -items in, the result are 
marked for monitoring in the database. If, no marked items 
25 are included in the, result, -.the result is <.communicated to 
the user in a standard : way . (step 84) . : If; however, mared 
items are included in the result, the intrusion detection 
component 13 stores ' the^ query result , or at least those 
• parts referring to the -marked items, in the record 14, 
30 sind the program cotltro-l initiates the intrusion detection 
(step S6-S10) . 

First,' in step 86, the intrusion detection component 
> 18 compares the current- query result and the updated 
record '14 :with che item access rate 21 included in the 
35 security policy associated with the current user, the 

role that -the. user belongs to, or the seirver the user is 
cozuiecred to.. Note that, only item access rates 21 
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associated with the marked items comprised in the current 
result need to be compared. 

If the current query result or accumulated record 14 
includes a number of rows exceeding a particular item 
S access rate 21, such a request will be classified as an 
intrusion (step S7) , and the access control system 7 will 
be alerted (step SlO) . . 

Secondly/ in step S8, if no item access. rate is 
exceeded, the intrusion detection process compares the 
10 query result and accumulated record 14 with any inference 
pattern included in the relevant security policy. If the 
result includes a combination of items that match the 
defined inference pattern, sudh a request will also be 
classified as an intrusion (step 59), and the access 
15 control system will alerted (step SlO) . r 
^ ... If no intrusion is found in step. S? nor step S9, the 
program control advances to step S4 and communicates the 
' - result to the user, ' . 

r ^ . . Upon an ACS alert (s.tep SlO) , the access control 
20- system 7. is arranged to immediately alter the user 
authorization^ thereby * making the submitted request 
unauthorized. This- can;, be effected easily, for example if 
the ACS 7 is: part of the Secure. Data™ server from 
Protegrity-^ ^- 

25 . ' For the ^user, the request^ or at' least parts of the 

request di-rected to items for which the item access rate 
was exceeded, wili thus appear to be unauthorized, even 
' though authority Was -initially granted by the access 
' Control system 7. ^ . 

3^ In. addition to. the immediate and dynamic alteration 

of the access control system 1, other measures can be 
taken depending on the seriousness of the intrusion, such 
as sending an alarm to e.g- the. administrator,: i.or 
shutting down the entire database. The 9erv:er software 11 

35 can send an .alarm to a waiting process that a potential 
breach of security is occurring-. 



CMDCAWftC7rTT^ LAW ...1, rty flfi nUflli OZH P. £ 3i: N^YlJ ^ifi I £] 




Fax: +46-31-! 




23 Nqy/Ol 16:23 



it 



P. 18/24. 



Ijonff term ansilysls: — : , 

The query result can also be stoired in. the log file 
15 by the intrusion detection module/ as described above. 
The log file 15, which thus contains accumulated query 
5 results from a defined time period, can also be compared 
to the inference patterns 22 in the security profiles 2 0 
of users, roles or servers, this time in a after the 
event" type analysis ^ 

Even though such an analysis cannot prevent the 
10 intrusion from caking place, it may serve as intelligence 
gathering, improving the possibilities of handling 
intrusion problems.. While the real time protection is 
most: efficient when It, comes to preventing security 
breaches,, the long term analysis can be more .in depth, 
15 and more complex, as time is no longer, a critical factor. 
Many three-tier applications (e.gv. connections with 

a. proxy. 5.) authenticate users to the middle tier 5, and 
then the TP monitor or application server in the middle 
. tier connects to' the {database. 3 as a super-privileged 

20 user, and does, all activity on, behalf of all users\S 
using the clients* 1 . Preferably, the invention is 
implemented in a system,. . for: example Secure , Data'" from 
Protegrity, in which the identity ofc. the real client is 
p3^eserved over the middle tier thereby enabling 

25 enforcement of ''least privilege'' thrpugh a middle tier, 
The intrusion detection module 10 therefore can audit 
access requested both by the logged- in, user who initiated 

.^.: ., the connection (e.^gU•;UC^ user on 

whose behalf an action is taken. Audit re.cords capture 

3C both the user talcing .the action and the user on whose 
behalf the action was taken. Auditing user, activity, 
: -r-. whether users are. connected through a middle tier or 
directly to the data server, enhances user 
accountability, and thus the overall security of multi- 

35 tier systems- Audit records can be sent to the database 
audit trail or the operating system's audit trail, when 
the operating system is capable of receiving them. This 
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option, coupled with -the broad selection of audit options 
and the ability to customize auditing with triggers or 
stored procedures, provides the flexibility of 
in^lementing an auditing scheme that suits any specific 
5 business needs. 
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•CLAIMS 

1, A method for detecting intrusion in a database 
managed by an access control system, comprising: 
5 defining at least one intrusion detection profile, 

each comprising at least one item access rate, 

associating each user with one of said profiles, 
receiving a query from a user, 

determining whether a result of said query exceeds 
10 any one of the item access rates defined in the profile 
associated with the user, and, in that case, 

notifying the access control system to alter the 
user authorization, thereby making the received request 
an unauthorized request, before said result is 
15 transmitted to the user. 

2- The method of claim 1, further comprising: 
accumulating results from performed queries in a 
record, and 

20 determining whether the accumulated results exceed 

any one of said item access rates. 

3. The method of claim 1 or 2, wherein items 
subject to item access rates are marked in the database, 
25 any query concerning said items automatically triggering 
the intrusion detection. 



4. The method of claim 3, wherein the step of 
determining whether an item access rate is exceeded 

30 includes determining if the query result includes rows 

from marked items ^ and only in that case proceeding with 
the intrusion detection process. 

5, The method of any of the preceding claims, 
35 wherein one of said at least one item access rates 

defines the number of rows a user may access from a 
database item at one time. 
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6. The method of any of the preceding claims , 
wherein one of said at least on item access rates defines 
the number of rows a group of users may access from a 
database item at one time. 



10- 



7. The method of any of the preceding claims, 
wherein one of said at least on -item access rates defines 
the number of rows that may be accessed from a database 
item over a period of time, 



15 



8. The method of any of the preceding claims, 
wherein one of said at least on item access rates defines 
the number of rows a; group of users may access from a 
data±>ase item over a period of time. 



20 



25 



30 



d. ^ The "method; of any of the preceding claims, 
wherein the intrusion detection policy further includes 
at least one inference pattern, the method further 
comprising: 

accumulating results from performed queries in a 
record, 

comparing said record with said inference pattern, 
in order to determine whether a combination of accesses 
in said record match said inference policy, and in that 
case 

notifying the access control system to alter the 
user authorization, thereby making the received request 
an unauthorized request, before said result is 
transmitted to the user. 
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ABSTRACT 

A metliod for detecting intrusion in a database, 
managed by an access control system, comprising defining 
5 at least one intrusion detection profile, each comprising 
at least one item access rate and associating each user 
with one of said profiles. Further^ the method determines 
whether a result of a query exceeds any one of the item 
access rates defined in thjs profile associated with the 
10 user, and, in that case, notifies the access control 

system to alter the user authorization, thereby making 
the received request an unauthorized, request, before said 
resul;t is transmitted to the user. 

The method allows for a real time prevention of 
IS intrusion by letting the intrusion, detection process 
interact directly with the access control system, and 
, , change the user authority dynamically; as a result of the 
detected intrusion.- , 
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